dataset encryption – just do it!

©

August 2020

Dataset Encryption – Just

Do It!Greg BoydJulie Bergh

©

Greg Boyd

Greg Boyd is a Certified Information Systems Security Specialist (CISSP). Greg retired from IBM in 2014 and started his own consulting firm, Mainframe Crypto, to provide consulting and technical assistance for implementing cryptographic solutions. Prior to leaving IBM, Greg spent the last 10 years providing technical marketing support for the System z Cryptographic hardware and software for IBM’s Washington Systems Center. In that role, he assisted customers with installation and technical questions on the cryptographic products, and regularly presented at conferences such as SHARE, IBM’s zTechnical University and the Vanguard Security and Compliance Conference.

[email protected]

www.mainframecrypto.com

240-772-1539

http://www.mainframecrypto.com/

©

Julie Intro

• Recently from IBM, I provided technical leadership and sales support activities to achieve competitive security product take-outs in North America, and promotes sales of additional security product components.

•CISSP-ISSMP, CBCP •Experienced Security Professional •Years creating / architecting security solutions on z Systems•RACF, CA ACF2, CA Top Secret•Systems Programmer• IT Management •Application Programmer•Audit Director

©

IBM Definition of Pervasive Encryption

• Full Disk Encryption• Integrated Crypto Hardware• Network Encryption • Data Set and File Encryption• Coupling Facility Encryption• Secure Service Container• Key Management (EKMF & TKE)• z/OS 2.4 (JESSPOOL and PDS/E)

©

Configuration requirements

• Machine type (z15/z15 T02, z14/z14s, z13/z13s, zEC12/zBC12)

• With appropriate Crypto Express cards• With master keys loaded

• Operating System• z/OS 2.4 • z/OS 2.3• z/OS 2.2 w/APAR OA50569• z/OS 2.1 w/APAR OA50569 (supports reading/writing an encrypted

data set, but not creating an encrypted data set)• ICSF

• HCR77D1-HCR77C0• HCR77A0-HCR77B1 w/APAR OA50450

©

z/OS data set encryption – High Level Steps

1 2 3

Generate an encryption key and key label, store it in

the CKDS .

Setup RACF for use of key label

Allow secure key to be used as protected key

via ICSF segment

- SYMCPACFWRAP

- SYMCPACFRET

Grant access to key label

Associate the key label with the desired

data set(s).

In RACF, alter DFP segment in data set profile - DATAKEY()

In DFSMS, assign to data class

– OR –– AND –

DB2:

Online Reorg

IMS HA Database:

Online Reorg

zFS Container:

zfsadmin encrypt

VSAM or Seq data set:

1. Stop application

2. Copy data

3. Restart application

Migrate to encrypted data

4

In RACF, permit access to new resource in FACILITY class

Defining a robust key management

strategy is critical!

Storage Admin

Security Admin DBASecurity Admin ICSF Admin

User

Storage Admin

User

©

Key Management

• TKE – Trusted Key Entry• EKMF – Enterprise Key Management Facility• EKMF Web - Enterprise Key Management Facility Web • IBM SKLM 4.0 for Docker running in a z/OS Container

Extensions – Announcement Letter 219-514 • ICSF – Integrated Cryptographic Services Facility

©


1 2 3


the CKDS .



via ICSF segment

- SYMCPACFWRAP

- SYMCPACFRET



data set(s).



– OR –– AND –

DB2:

Online Reorg

IMS HA Database:

Online Reorg

zFS Container:

zfsadmin encrypt


1. Stop application

2. Copy data



4




Storage Admin


User

Storage Admin

User

©

RACF Classes • CSFKEYS• CSFSERV• FACILITY• OPERCMDS• XFACILIT

• ICSF – key store policies additional support – strongly implement. For example prohibit duplicate keys.

• DFP Segment• ICSF Segment

©

Encryption enabled at allocation

• DFP Segment of the SAF data set profile• SMS Data Class • JCL, TSO Allocate (Dynamic Allocation)• IDCAMS

©


1 2 3


the CKDS .



via ICSF segment

- SYMCPACFWRAP

- SYMCPACFRET



data set(s).



– OR –– AND –

DB2:

Online Reorg

IMS HA Database:

Online Reorg

zFS Container:

zfsadmin encrypt


1. Stop application

2. Copy data



4




Storage Admin


User

Storage Admin

User

©

How do you rotate keys?There are two types of key rotation that you can perform on IBM Z:

• Master Key Rotation• Operational Key Rotation

Operational Keys

Operational keys are used in various cryptographic operations (e.g. encryption).

Operational keys may be stored in a key store (e.g. data set, file, database) or returned back to the

caller.

Operational keys may be encrypted by a Master Key to be considered secure keys.

Master Keys

Master keys are used only to encipher and decipher keys.

Master keys are stored in secure, tamper responding hardware.

©

When can you delete an operational key used with data set encryption?

Life of data set = Life of key

NIST SP800-57 Recommendation for Key Management

Part 1-3

©


1 2 3

Generate an encryption key and key label, store

it in the CKDS .



via ICSF segment

- SYMCPACFWRAP

- SYMCPACFRET


Associate the key label with the desired data

set(s).



– OR –– AND –

DB2:

Online Reorg

IMS HA Database:

Online Reorg

zFS Container:

zfsadmin encrypt


1. Stop application

2. Copy data



4


Non-

disruptive

Non-

disruptive

Non-

disruptive

Defining a robust key management strategy is

critical!

Storage Admin Security Admin

DBASecurity Admin ICSF Admin

User

Storage Admin

User

©

Questions?

dataset encryption – just do it!

Documents